Alex Willmer - CloudABI: Capability based security on Linux/Unix [EuroPython 2016] [19 July 2016 / 2016-07-19] [Bilbao, Euskadi, Spain] (https://ep2016.europython.eu//conference/talks/capability-based-security-on-unix-with-cloudabi)
Take POSIX, add capability-based security, then remove anything that conflicts. The result is CloudABI, available for BSD, Linux, OSX et al.
A CloudABI process is incapable of any action that has a global impact It can only affect the file descriptors you provide. As a result even unknown binaries can safely be executed - without the need for containers, virtual machines, or other sandboxes.
This talk will introduce CloudABI, how to use it with Python, the benefits, and the trade-offs.
[CloudABI](https://nuxi.nl/) is a new POSIX based computing environment that brings [capability-based security](https://en.wikipedia.org/wiki/Capability-based_security) to BSD, Linux, OSX et al.
Unlike traditional Unix, if a CloudABI process goes rogue it _cannot_ execute random binaries, or read arbitrary files. This is achieved by removing `open()` & any other API able to acquire global resources. Instead a CloudABI process must be granted _capabilities_ to specific resources (e.g. directories, files, sockets) in the form of file descriptors. If a process only has a descriptor for `/var/www` then it's _incapable_ of affecting any file or folder outside that directory.
This talk will
- Review the security & reusability problems of Linux & Unix processes - Introduce capability-based security - Summarize the design of CloudABI - its benefits & trade-offs - Demonstrate how to write Python software for CloudABI & run it - Point out the pitfalls & gotchas to be aware of - Discuss the current & future status of CloudABI
CloudABI began life on FreeBSD. It also runs DragonFly BSD, NetBSD, PC-BSD, Arch Linux, Debian, Ubuntu, & OS X. The API & ABI are kernel agnostic - a CloudABI binary can run on any supported kernel. The design is evolved from [Capsicum](https://www.cl.cam.ac.uk/research/security/capsicum/), a library that allows processes to drop access to undesired syscalls at runtime. CloudABI applies this at build time to make testing & lock- down easier.